Re: SELinux - a call for end-of-life.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/02/2010 05:39 AM, Tim wrote:
> On Thu, 2010-09-02 at 04:24 +0100, Marko Vojinovic wrote:
>> Try to change the ownership of a file as an ordinary user (to "disown"
>> your own file), for example. The chown simply won't allow you to do
>> it, it is a serious security hole.
> 
> That's something that I've wanted to do, from time to time, give a file
> to someone else.  You can become root, if you're allowed, and chown it.
> Or you can copy the file to some mutually accessible place, and let them
> copy it to their own space.  The latter seems the best, but cumbersome.
> I can't think of another way, off the top of my head.
> 

Look into groups some time - they're a whole world of fun (and there to
solve the kind of problems you're discussing).

There are even mechanisms to allow you to create directories that can be
written to by all the group members but where you're not allowed to
delete each others stuff (set group ID (sgid) & sticky bit directories,
also now known as the "restricted deletion" flag).

You could also solve the above problem just by granting path search
permissions (chmod +x; it re-uses the executable bit for directories) to
a common group, or to all if you're happy with that and then allowing
the recipient read permissions on the file you wanted them to have
access to.

For even more fine-grained control there are access control lists (ACLs)
that Linux has supported for years and that give per-user and per-group
rwx controls for all objects in file systems that support their use
(virtually all common "Linux" file systems with the exception of things
like FAT, ISO9660 etc).

Regards,
Bryn.
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux